Description
The buffer_urldecode function in Lighttpd 1.3.7 and earlier does not properly handle control characters, which allows remote attackers to obtain the source code for CGI and FastCGI scripts via a URL with a %00 (null) character after the file extension.
Remediation
References
Related Vulnerabilities
WordPress Plugin Interactive SVG Image Map Builder Cross-Site Scripting (1.0)
Oracle JRE CVE-2013-1481 Vulnerability (CVE-2013-1481)
WordPress Plugin Premmerce Product Filter for WooCommerce Security Bypass (3.1.2)
Oracle Database Server CVE-2012-0526 Vulnerability (CVE-2012-0526)
WordPress Plugin FV Flowplayer Video Player SQL Injection (7.5.15.727)